// 3. Map the physical page containing remoteAddr (requires kernel RW) // This is the actual bypass – no NtReadVirtualMemory used.
Because step 1 may require a syscall (e.g., NtQuerySystemInformation ), many “pure” bypasses fail. However, advanced implementations use the PsActiveProcessHead exported via KdDebuggerDataBlock to walk the process list and retrieve the DirectoryTableBase (CR3) from the EPROCESS structure — all via physical reads. kshared bypass
Abstract: Traditional userland memory scanners (e.g., EDRs using NtReadVirtualMemory ) rely on accurate translation of virtual addresses to physical frames. The KShared Bypass technique exploits a specific feature of the Windows Kernel (the KUSER_SHARED_DATA structure) to read physical memory without conventional API calls, thereby evading hooking and introspection. This paper examines the architectural mechanism, implementation methodology, and detection vectors associated with this bypass. 1. Introduction Endpoint Detection and Response (EDR) systems commonly place hooks in userland APIs (e.g., ntdll!NtProtectVirtualMemory , kernel32!ReadProcessMemory ) to monitor memory access. To bypass these hooks, adversaries have developed direct or indirect system calls. However, even direct syscalls can be monitored via kernel callbacks ( PsSetCreateProcessNotifyRoutine , ObRegisterCallbacks ). but read-only bypass is safe. |
Thus, the reads the entire system’s physical memory without any syscalls after the initial mapping. 4. Impact on Security Tools | Tool Type | Evasion Effectiveness | |-----------|----------------------| | Userland Hooks (EDR) | Full bypass – no userland API called. | | Syscall Monitoring (e.g., Sysmon Event ID 10) | Bypass – no syscall to NtReadVirtualMemory . | | Kernel Callbacks ( ObRegisterCallbacks ) | Partial bypass – physical reads don’t trigger object handle checks. | | PatchGuard (on x64) | Triggers if kernel code is modified, but read-only bypass is safe. | To bypass these hooks